7

The recent article Goodbye Obamaberry, hello Obamadroid describes the decision to move Obama's phone from the Blackberry to the Samsung Galaxy S4.

The Galaxy 4S is of course an old, foreign phone. As a security practitioner, I would never recommend such a beast, especially with Google's tendency away from privacy.

Apple is a domestic hardware designer... and maybe the whole point of this question. iOS is built on FOSS underpinnings (although less-so than Android). The NSA and FBI issues with the iPhone make it likely to me that it offers some level of security. The iPhone is also a more stable platform, i.e., they're very numerous and very uniform in their design, manufacture and parts. This would seem to me to be desirable for a security audit.

So... why did the U.S. government go with a "foreign" phone?

The only reason I can think of it is that the iPhone is manufactured in China, and the U.S. has expressed concern about them.

  • The fear of hardware tampering was made clear with the Huwai story a few years back makes it clear thath the U.S. government is concerned about government backed corporate espionage Huawei, ZTE Provide Opening for China Spying, Report Says
  • Android is open and South Korea is an ally, the Galaxy 4S might not be manufactured in China (can somebody confirm this?)

Also of note is that according to the article, Obama's using the phone as an OWA portal for his email, and the DISA site indicates that "there is no data at rest" DOD Mobility Classified Capability - Secret (DMCC-S), which means... the OWA angle is probably true.

This is of particular interest to me because in the past I've been asked about how to secure phones for small business owners. I would normally recommend Apple over Android and Google, the reasoning being the privacy controls and security features of the phones. A true security nut, I might suggest they go with a stripped down phone with Cyanogenmod or similar Google-free Android variant, but setting that up would be a nightmare.

Can anyone with experience in this area comment? Is this a matter of convenience of ripping apart Android vs IOS? Did the hardware platform's origin (China vs. possibly Korea) factor in?

techraf
  • 9,141
  • 11
  • 44
  • 62
mgjk
  • 7,535
  • 2
  • 20
  • 34
  • 7
    Unless you happen to get a response from someone who was involved in the decision, you are merely asking for speculation – Neil Smithline Jun 26 '16 at 22:06
  • Also, with an Android phone, the software can be tailored to the phone's intended function. – multithr3at3d Jun 26 '16 at 22:26
  • 2
    Anyone who's worked in the area would be able to contribute to the topic. Military or intelligence backgrounds are common among infosec professionals. – mgjk Jun 27 '16 at 01:59
  • 1
    In my opinion, the hardware platform's origin did matter. Samsung owns three semiconductor manifacturing plants, [two in South Korea, one in the USA](http://www.samsung.com/semiconductor/foundry/manufacturing/#), so it's even possible that the hardware for the Obama's smartphone is entirely produced in the US. – A. Darwin Jun 27 '16 at 05:52
  • I didn't know about the U.S. foundry. I had read that Samsung sources some chips from China, but it may have nothing to do with their phones, or these specific lines of phones. – mgjk Jun 27 '16 at 12:04

1 Answers1

12

The phone you are talking about is not the stock Samsung S4. As you can read in the article the cameras are removed, there is a special app store only and there are special apps on it. It also states that this phone was explicitly chosen because of the KNOX technology which includes secure boot and separation of work and private activities.

The reason this is done on a comparably old phone hardware is because the process to develop and especially audit such special solutions for a small market takes a long time.

And why did they not go with Apple? It is hard to tell, but if you develop such a system you don't want to develop it again after a year for new hardware and don't want to audit it again with each software patch. So it is important that you have hardware which is available for a long time and that you have access to the OS software to make adaptions independent from the original manufacture. And Samsung might have been just more open in this regard. And at the end the chips will be manufactured outside of the US in both cases and Samsung even makes at least part of the chips for Apple anyway.

By the way, in Germany they also use old Samsung hardware (S3) as the base for their secure phones (SiMKo3). But in this case they've made more adaptions to the OS, i.e. added separation with the use of the micro kernel L4.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Given that Germany doesn't have domestic designers or phone software companies, Germany's options are more limited. Interestingly the S3 seems to be also adopted by Cryptophone, which is to the best of my knowledge the most serious commercial German effort at hardened phones. http://www.cryptophone.de/en/products/mobile/cp500/ . – mgjk Jun 27 '16 at 11:43